This page is mainly targeted at a Technical Audience who should be familiar with Microsoft Teams, PowerShell and M365 Services in general. It will walk through the configuration elements that will need to be performed within your Azure, O365 Teams Tenant:

• Enable Private Endpoint connections within your Azure tenant
• Consent to the Luware Recording Bot permissions
• Whitelist the Luware Recording Bot applications
• Create Microsoft Teams Compliance Policies
• Grant Microsoft Teams Compliance Policies to the mandated Microsoft Teams users

Customer Tenant Configuration Steps

This section details the configuration settings that needs to be created and applied within the your Azure tenant, each step below must be adhered to.

Enable Private Endpoint Network Resources

✅ To allow Luware Recording to connect a Luware Private Endpoint to your Azure Storage Account, first the Microsoft.network resource must be enabled in the customers Azure subscription.

1. Sign in to Azure portal.
2. Search for Subscriptions.   
   
3. Select the subscription you created for the recording project.
4. Select Settings > Resource providers in the left side menu.   
   
5. Find the resource provider “Microsoft.Network”.
6. Click Register.   
   

Consent to Luware Recording Graph API Permissions

You must consent permissions within your Azure tenant for the Luware Recording bot and related features. The Luware Recording Graph API Application ID and permissions that you need to consent to are listed below:

Luware Recording Bot Azure Application ID:

☝ Permissions can not be customized in a multi-tenant environment.

Once the the preconditions in this page are met and the permissions consented successfully, the Graph API Permissions listed in the table above will allow for:

• Microsoft Teams Compliance Recording
• VFC Web Portal Single Sign On via Azure Entra ID Authentication
• VFC Azure Entra ID Synchronization

In order to consent to these permissions, you will need to follow both the links below (ensuring <CUSTOMER TENANT ID> and <APP ID Bot> are replaced with your Tenant ID the Bots App ID, respectively) and sign in as a Global Administrator:

https://login.microsoftonline.com/<CUSTOMER TENANT ID>/adminconsent?client_id=<APP ID Bot 1>&state=12345&redirect_uri=https://luware.com

https://login.microsoftonline.com/<CUSTOMER TENANT ID>/adminconsent?client_id=<APP ID Bot 2>&state=12345&redirect_uri=https://luware.com

https://login.microsoftonline.com/<CUSTOMER TENANT ID>/adminconsent?client_id=<Recording Bot API Identity>&state=12345&redirect_uri=https://luware.com

Whitelist Luware Recording Bot Graph Application

The Luware Recording Bot Application need to be "White-Listed" within your tenant. This section provides the PowerShell commands to perform this requirement, using the Teams Powershell Module.

You need to use the correct account that has full admin privileges in your Teams environment. Also make sure that the latest Teams PowerShell Module is installed:

Import-Module MicrosoftTeams
Connect-MicrosoftTeams

The commands below create an application user object within your tenant used to whitelist the Luware Bot Application ID. There are 2 required below for 2N recording. You should use the <UniqueUPN>@<CustomerDomain> for the UPN:

New-CsOnlineApplicationInstance -UserPrincipalname <UPN> -DisplayName <displayName> -ApplicationId <APP ID Bot 1>
                        

New-CsOnlineApplicationInstance -UserPrincipalname <UPN> -DisplayName <displayName> -ApplicationId <APP ID Bot 2>

New-CsOnlineApplicationInstance -UserPrincipalname <UPN> -DisplayName <displayName> -ApplicationId <Recording Bot API Identity>

Create Microsoft Teams Compliance Policies

This section explains the concept and creation of Microsoft Teams Compliance Recording Policies within your tenant. Note the differences between Fail Open and Fail Close Policies:

• Fail Close - When a Recorded Microsoft Teams user is under strict compliance (i.e. mandated to be recorded at all times) then, if the call recording fails for any reason, the call will fail to connect and display an error message “We couldn't connect you - There was a problem setting up the recording required by your org.”
• Fail Open - Opposite of Fail Close, i.e. if the recording fails for any reason, the call will still be allowed to take place. No error message or notification will be displayed to the end user.

Below we create a Blanket Policy without any settings execute the below command.

• Replace <Policy Description> with a desired policy description value.
• Replace <PolicyName> with a desired policy name.

New-CsTeamsComplianceRecordingPolicy -Enabled $true  -Description '<Policy Description>' -Identity '<PolicyName>'

Once the above policy has been created, we will then configure the Teams Compliance Policy Settings. Refer to the table below for the parameter options. Fail Open is 0 (off) and Fail Close is 1 (on). Luware always recommends using Fail Close for compliance recording.

You can choose from either the Fail Open or Fail Close policies below.

Fail Open Policy:

New-CsTeamsComplianceRecordingApplication -Identity <Tag:"CompliancePolicyName"/ObjectID> -RequiredBeforeCallEstablishment $false -RequiredDuringCall $false -RequiredBeforeMeetingJoin $false -RequiredDuringMeeting $false

Fail Close Policy:

New-CsTeamsComplianceRecordingApplication -Identity <Tag:"CompliancePolicyName"/ObjectID> -RequiredBeforeCallEstablishment $true -RequiredDuringCall $true -RequiredBeforeMeetingJoin $true -RequiredDuringMeeting $true

💡If there is a need to create multiple compliance policies (for example a fail open and a fail close policy), then repeat the steps within this section for each new policy, ensuring each new policy references the same Object ID for the white listed application.

Set-CsTeamsComplianceRecordingApplication -Identity 'Tag:<PolicyName>/<ObjectId>' -ComplianceRecordingPairedApplications @(New-CsTeamsComplianceRecordingPairedApplication -Id '<ObjectId_of_Bot2>')

Teams Compliance Policy

You will need to grant the Teams Compliance Recording Policy/Policies created previously. Luware recommends applying compliance policies to the Azure Entra ID security groups that are synchronized within Luware Recording. Below is an example of how to grant the compliance policy to a Microsoft Teams User/Group within your tenant.

💡Note that

• Luware does not support compliance policies being enabled to an entire tenant.
• Luware does not recommend applying compliance policies to users.
• User policy assignment overrules group policy assignment.

Grant to a group

In the PowerShell command to grant a Teams compliance policy to an Azure  Entra ID group (Applies to 'Recorded Users' security group only):

• Replace <Azure Entra ID Security Group ID> with the AAD Security group ID of the recorded user group
• Replace <PolicyName> with the name of the recording policy created previously

New-CsGroupPolicyAssignment -GroupId "<Azure Entra ID Security Group ID>" -PolicyType TeamsComplianceRecordingPolicy -PolicyName "<PolicyName>"

Grant to a user

In the PowerShell command to grant a Teams compliance policy to an individual user:

• Replace <Users UPN> with the UPN of the user you are assigning the policy to
• Replace <PolicyName> with the name of the recording policy created previously

Grant-CsTeamsComplianceRecordingPolicy -Identity '<Users UPN>' -PolicyName '<PolicyName>'

Check a granted policy

Use the following command to check if the policy has been applied to the users:

Get-CsOnlineUser -Identity '<Users UPN>' | Select-Object -ExpandProperty 'TeamsComplianceRecordingPolicy'

Azure Active Directory Synchronization

Recording makes use of Azure Entra ID to sync users and extensions. For this to be possible, security groups will need to be created for each of the 3 roles (Recorded user, Supervisor, Administrator) above. Return a list of the groups created in the following format:

Ensure the users are added to the correct groups before engaging Luware to configure the Azure  Entra ID Synchronization. Users can be members of more than one group, for example a Supervisor is by default not recorded. If a user needs the rights of a supervisor but also needs to be recorded then that user MUST be apart of both the Recorded Users' group as well as the Supervisor group.

💡If a bespoke configuration is required for roles or additional roles are required, consult your Luware point of contact.

Recording Web Portal

Once the onboarding process has been completed and Recording is live, you have the ability to access recordings for playback. This is done through a web portal. You need to log in with your Azure  Entra ID UPN and Password.

✅ Contact your partner admin or a Luware technician to get the link to the portal.

Luware Support